How to enable cross-origin resource sharing (CORS) for HTTP-based connections

Originally Published on 02/02/2016 | Updated on 06/07/2018 9:31 am PDT

Cross-origin resource sharing (CORS) is a mechanism that allows resources to be requested from a domain that's outside the domain from which the request originated. In general, CORS headers are required to enable browser-based HTML5 video players to fetch video and other information from a Wowza Streaming Engine media server and to allow a website in one domain to request video from a streaming media server in a different domain. This article describes how to configure cross-origin HTTP access control settings in Wowza Streaming Engine Manager so that a website on one domain can deliver HTTP-based streaming video and other information from the streaming media server that's on a different domain.

Note: Wowza Streaming Engine™ software version 4.4.0 (or later) is required.

Contents

Configure CORS headers in Wowza Streaming Engine Manager
Customize CORS headers with properties - application settings
Customize CORS headers with properties - VHost settings
List of default CORS headers
Configure CORS headers for HTTP Providers

Configure CORS headers in Wowza Streaming Engine Manager

This section shows you how to set up cross-origin resource sharing (CORS) for streaming applications in Wowza Streaming Engine Manager. It uses the default live application as an example, but you can use these instructions for any streaming application.
 
  1. In Wowza Streaming Engine Manager, in the Applications contents panel, click live, and then click Edit.
     
    Note: CORS headers are supported by all application types. If you want to create a new streaming application, click Add Application in the contents panel, and then the application type you want to use. Follow the instructions in the UI.
  2. On the live application page, select Cross-origin resource sharing (CORS), and then click Save.

 
Note: In Wowza Streaming Engine 4.5.0 and later, this setting is enabled by default.
Enabling this option turns on a default set of CORS headers that work for ALL HTTP-based streaming protocols. The CORS headers are enabled for all of the selected HTTP-based Playback Types for the application. To turn on CORS headers for specific HTTP-based streaming protocols, you can manage the Playback Types list in the application settings, or you can configure properties to enable specific HTTP-based streaming protocols to have CORS enabled. You MUST configure properties to change the CORS header values.
 
Note: In Wowza Streaming Engine 4.5.0, CORS headers are enabled for all of the HTTP-based streaming protocols by default. (In Wowza Streaming 4.4.x, CORS headers are enabled for MPEG-DASH streaming by default.) You can disable CORS headers for HTTP-based streams by setting the [protocol]CORSHeadersEnabled property to false.

Customize CORS headers with properties - application settings

After you enable CORS headers, you can adjust the default settings by adding the properties shown in the table below to your application. Each CORS property is prefixed with a [protocol] value, which is either the appropriate protocol name (cupertino, sanjose, mpegdash, or smooth) or http to denote ALL HTTP streaming protocols.
 
Path
Name
Type
Notes
/Root/Application/HTTPStreamer [protocol]CORSHeadersEnabled Boolean Enables CORS headers for the specified protocol. Default value is true (Wowza Streaming Engine 4.5.0) or false (Wowza Streaming Engine 4.4.x).
Note: If you set this property to false for http, CORS headers are still provided for cupertino, mpegdash, sanjose, or smooth (what is provided depends on your Streaming Engine software version). You must configure the [protocol]CORSHeadersEnabled property to disable CORS headers for a specific protocol. For example, set the mpegdashCORSHeadersEnabled property to false to disable CORS headers for mpegdash.
/Root/Application/HTTPStreamer [protocol]CORSHeadersEnableAge Boolean Adds Age CORS headers to the output when set to true. Default value is false.
/Root/Application/HTTPStreamer [protocol]CORSHeadersEnableMain Boolean Adds Main CORS headers to the output when set to true. Default value is true when CORS headers are enabled.
/Root/Application/HTTPStreamer [protocol]CORSHeadersSetAge String Sets a specific CORS headers to the Age list as a pipe-separated list of header name:value pairs. This allows you to override the default set for a specific header. The header name MUST start with Access-Control- (for example, Access-Control-Max-Age) to be added to the output list.
/Root/Application/HTTPStreamer [protocol]CORSHeadersAddAge String Adds specific CORS headers to the Age list as a pipe-separated list of header name:value pairs. The header name MUST start with Access-Control- (for example, Access-Control-Max-Age) to be added to the output list.
/Root/Application/HTTPStreamer [protocol]CORSHeadersRemoveAge String Removes specific CORS headers from the Age list. Specify the CORS headers to remove as a comma-separated list of CORS header names.
/Root/Application/HTTPStreamer [protocol]CORSHeadersSetMain String Sets a specific CORS headers to the Main list as a pipe-separated list of header name:value pairs. This allows you to override the default set for a specific header. The header name MUST start with Access-Control- (for example, Access-Control-Allow-Credentials) to be set in the output list.
/Root/Application/HTTPStreamer [protocol]CORSHeadersAddMain String Adds specific CORS headers to the Main list as a pipe-separated list of header name:value pairs. The header name MUST start with Access-Control- (for example, Access-Control-Allow-Credentials) to be added to the output list.
Root/Application/HTTPStreamer [protocol]CORSHeadersRemoveMain String Removes specific CORS headers from the Main list. Specify the CORS headers to remove as a comma-separated list of CORS header names.
Root/Application/HTTPStreamer [protocol]CORSDynamicEnabled Boolean (Wowza Streaming Engine 4.7.5 and later) Reflects the Origin: header value back to the client in the Access-Control-Allow-Origin header when set to true. The default value is false. Currently, there is no checking in place to validate the domain.
Root/Application/HTTPStreamer [protocol]CORSUseHostname Boolean (Wowza Streaming Engine 4.7.5 and later) Uses the fully qualified hostname in the Access-Control-Allow-Origin header when set to true. This enables badly configured clients to receive CORS responses even when they don't send a request. The default value is false.

To add properties in Wowza Streaming Engine Manager

To add any of the above CORS headers properties to your streaming application, do the following:
 
  1. In Wowza Streaming Engine Manager, click the Applications tab and then click the name of your live application (such as live) in the contents panel.
     
  2. On the application page Properties tab, click Custom in the Quick Links bar.
     
    Note: Access to the Properties tab is limited to administrators with advanced permissions. For more information, see Manage credentials.
  3. In the Custom area, click Edit.
     
  4. Click Add Custom Property, specify the property Path, Name, Type, and Value in the Add Custom Property dialog box, and then click Add:
     
  5. Click Save, and then restart the application to apply the changes.

List of default CORS headers

CORS headers (Main)

  • Access-Control-Allow-Origin: *
  • Access-Control-Allow-Credentials: true
  • Access-Control-Expose-Headers: Date, Server, Content-Type, Content-Length
  • Access-Control-Allow-Methods: OPTIONS, GET, POST, HEAD
  • Access-Control-Allow-Headers: Content-Type, User-Agent, If-Modified-Since, Cache-Control, Range

CORS headers (Age)

  • Access-Control-Max-Age: 60

Customize CORS headers with properties - VHost settings

The default setting is to enable CORS headers for VHost-level requests that aren't serviced by an HTTP Provider or application. You can adjust the default setting by adding the properties shown in the table above to your [install-dir]/VHost.xml file (You must add the properties to the last <Properties> section in VHost.xml using a text editor. Each CORS property is prefixed with a [protocol] value. The following example shows a common 'options' request directed at a VHost: 
<Property>
	<Name>optionsCORSHeadersAddMain</Name>
	<Value>Access-Control-Allow-Headers:X-Authorization</Value>
	<Type>String</Type>
</Property>

Configure CORS headers for HTTP Providers

Wowza Streaming Engine software has built-in HTTP Providers and also provides the ability to add custom HTTP Providers that provide additional information to clients. (For more details, see HTTP Providers.) By default, the Built-in HTTP Providers include CORS headers when providing information. You can disable this functionality on a per-HTTP Provider basis by adding a specific property to the HTTP Provider configuration, as shown below: 
<HTTPProvider>
    <BaseClass>com.wowza.wms.http.HTTPServerInfoXML</BaseClass>
    <RequestFilters>serverinfo*</RequestFilters>
    <AuthenticationMethod>admin-digest</AuthenticationMethod>
    <Properties>
        <Property>
            <Name>httpCORSHeadersEnabled</Name>
            <Value>false</Value>
            <Type>Boolean</Type>
        </Property>
    </Properties>
    </HTTPProvider>

If you're having problems or want to discuss this article, post in our forum.

Was this article helpful?
Thank you for your feedback!
User Icon

Thank you for providing feedback to help us improve our documentation!

If you need immediate help for an urgent issue, open a support ticket to get help from one of our technical support engineers. (You must have a valid Maintenance and Support contract to get technical support.)

© 2005–2018 Wowza Media Systems, LLC. All rights reserved.   Terms Privacy Trademarks Legal